A quick refresher of application components under Android

Each Android app consists of a collection of components that work both together, and potentially with components of other apps, in order to provide the app’s functionality. The developer does not write a main method for their app, instead they write components that may be invoked by other parts of their app, or by other apps, including those that come as part of Android itself.

This is great from a user experience point of view. Collectively the components of the different apps installed on a device cooperate and provide a rich user experience, where apps are able to access data stored by other apps, or get other apps to perform tasks on their behalf.

However, from a security point of view this cooperation between apps is open to abuse, and app developers must think carefully about how they structure their apps, and how the services they provide may be abused.

The different component types

Components come in four types:

Activities: these are components that provide a user interface screen and correspond to activities that the user might perform, e.g. dial a phone number, take a photograph, or compose an email.

Services: these are components that perform potentially long-running tasks that operate in the background without a user interface, e.g. downloading a file, playing music, or synchronising email with a server.

Broadcast Receivers: these are components that listen for messages broadcast by other components (possibly in other apps) and then perform an action, e.g. when a phone call is received this is broadcast to other apps so music players for example can pause playback.

Content Providers: these are components that provide controlled access to their app’s data. Content Providers are intended for when an app wants to share its data with other apps, e.g. a contacts app may want to share access to its database with the phone app or an email app.

Android provides mechanisms by which a component can communicate with another component, or ask another component to perform an action on its behalf. The Principle of Least Privilege says that we should secure these interactions.

Every Android application must have an AndroidManifest.xml file which (among other things) lists the app’s components so that Android can run them.

Note for Nerds: unlike the other types of components, Broadcast Receivers can also be registered programmatically. This is done using registerReceiver(). A typical use for doing this would be if an app is only interested in a certain type of message when it is in a particular state. A Broadcast Receiver registered with registerReceiver() can be unregistered with unregisterReceiver().